08 August 2022

Data breach disclosure law in Australia


The colony has taken quite some time to enact law that may protect consumers/workers/public servants with regards to the I.T world in particular that of data breaches, which have been going on for a few decades now, and the lack of reporting them.

The law is ultra quick to act with regards to gazetting speed measuring equipment which is heavily relied upon for revenue raising, under the pretext of safety.

On February 22, 2018 the Federal Government’s new Scheme for the mandatory reporting of cybersecurity breaches that result in the loss of personal data came into effect. Every private and public company with annual turnover of $3 million or more, listed or not, is now required to report a cyber breach to the Office of the Australian Information Commissioner (OAIC) and notify affected customers as soon as they become aware of a breach.

The threshold for notification under the new Act is more onerous than most other global jurisdictions, with the test based on whether the breach “is likely to result” in serious harm to an affected individual. Mandatory reporting relieves companies from having to make judgement calls about materiality – ANY breach that ‘is likely to result in serious harm’ to an individual will be reportable. This could occur when there is unauthorised access to, disclosure or loss of customer information held by an entity. Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information. Companies must report the breach within 72 hours.

On 22 February 2018, the Privacy Act 1988 (Cth) (the Act) was amended to introduce a mandatory data breach notification regime, the Notifiable Data Breaches scheme (NDB scheme). Australian Privacy Principle (APP) entities bound by the Act must now report specified breaches of privacy.  

Such data breaches must be notified to the Office of the Australian Information Commissioner (OAIC). In addition, individuals that are likely to suffer serious harm as a result of that breach must also be notified. Businesses need to act quickly to contain and address such privacy breaches, and practitioners need to be aware of the requirements and the time frames for action.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amended the Act to bring into force the NDB scheme. The legislation introduces a set of onerous reporting obligations for those already bound by privacy obligations under the Act. The OAIC is already reporting a flurry of activity in this area. This article outlines the provisions of the NDB scheme and provides examples of how it may apply in practice.

The new data breach notification regime will apply to those already bound by the Act, including businesses with an annual turnover of $3 million or more. Such entities are called APP entities.

No comments:

Post a Comment